KB484969: Methods for generating certificate authority

Generating certificate authority (CA) is critical for protecting the data in transit for Platform Analytics. See KB484968 for further instructions on generating keys and certificates. 

Method 1

• CA signed certificate with SAN validation 
• Created with OpenSSL and Keytool
• RSA key

Steps

1. Copy

   C:\Program Files (x86)\Common Files\Strategy\Apache\Apache24\conf\openssl.cnf

   and modify the copy with the following changes:
   
1. enable

   copy_extensions = copy

2. change

   string_mask=utf8only

    to

   string_mask = pkix

2. Generate server CA key and certificate with modified copy

   openssl.conf

   :
   

   
   openssl req -new -x509 -keyout ca-key -out ca-cert -days 1000 -config "C:\Users\admin\Documents\KafKa\E2E\SAN\openssl.cnf"
   

   
   
3. Add CA(root) certificate into client trust store:
   

   
   keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert
   

   
   
4. Generate server keystore with SAN:
   

   
   keytool -keystore server.keystore.jks -alias tec-w-003752 -validity 1000 -genkey -keyalg RSA -ext SAN=DNS:tec-w-003752.labs.Strategy.com,IP:10.23.4.99
   

   
   
5. Generate CA signing request with SAN:
   

   
   keytool -keystore server.keystore.jks -alias tec-w-003752 -certreq -file cert-file -ext SAN=DNS:tec-w-003752.labs.Strategy.com,IP:10.23.4.99
   

   
   
6. Modify

   openssl.cnf

   to set up CA signing environment. Sign the certificate:
   

   
   openssl ca -config "C:\Users\admin\Documents\KafKa\E2E\SAN\CA\openssl.cnf" -in cert-file -out CASignedCert.crt
   openssl x509 -in CASignedCert.crt -out CASignedCert.pem
   

   
   
7. Import CA signed certificate and key into server trust store:
   

   
   keytool -keystore server.keystore.jks -alias tec-w-003752 -import -file CASignedCert.pem
   

   
   
8. Import CA(root) certificate into server trust store:
   

   
   keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert
   

   
   

Method 2

• CA signed certificate with CN validation 
• Created with OpenSSL 
• ECC key (latest industry standard, instead of RSA)

Steps

1. Generate server CA key and certificate:
   

   
   openssl genpkey -out CAprivateKey.pem -des3 -algorithm EC -pkeyopt ec_paramgen_curve:P-384 -pkeyopt ec_param_enc:named_curve
   openssl req -x509 -new -sha384 -key CAprivateKey.pem -out CAcert.crt -days 365
   

   
   
1. Input

   CN:tec-w-003752.labs.Strategy.com

   when creating CA certificate
2. Convert CA certificate to pem format
   

   
   openssl x509 -in CAcert.crt -out CAcert.pem
   

   
   
2. Add CA certificate into client trust store:
   

   
   keytool -keystore client.truststore.jks -alias CARoot -import -file CAcert.crt

   
   
3. Generate server key with OpenSSL:
   

   
   openssl genpkey -out ServerprivateKey.pem -des3 -algorithm EC -pkeyopt ec_paramgen_curve:P-384 -pkeyopt ec_param_enc:named_curve

   
   
4. Generate CA signing request:
   

   
   openssl req -new -key ServerprivateKey.pem -out CSR.csr

   
   
5. Modify

   openssl.cnf

   to set up CA signing environment. Sign the certificate:
   

   
   openssl ca -config "C:\Users\admin\Documents\KafKa\E2E\CN\CA\openssl.cnf" -in CSR.csr -out CASignedCert.crt
   openssl x509 -in CASignedCert.crt -out CASignedCert.pem
   

   
   
6. Import CA signed certificate and key into server trust store:
   

   
   openssl pkcs12 -export -in CASignedCert.pem -inkey ServerprivateKey.pem -name tec-w-003752 -out PKCS-12.p12
   keytool -importkeystore -srckeystore PKCS-12.p12 -destkeystore server.keystore.jks -srcstoretype pkcs12 -alias tec-w-003752
   

   
   
7. Import CA(root) certificate into server trust store:
   

   
   keytool -keystore server.keystore.jks -alias CARoot -import -file CAcert.crt

   
   

Method 3

• CA signed certificate with SAN validation 
• Created with OpenSSL 
• RSA key

Steps

1. Generate server CA key and certificate:
   

   
   openssl req -new -x509 -keyout ca-key -out ca-cert -days 1000
   

   
   
2. Add CA certificate into client trust store:
   

   
   keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert

   
   
3. Create

   san.cnf

   file by following this documentation. Generate server key and signing request with OpenSSL:
   

   
   openssl req -out CASignReq.csr -newkey rsa:2048 -nodes -keyout Serverprivate.key -config san.cnf

   
   
4. Modify

   openssl.cnf

   to set up CA signing environment. Ensure

   copy_extensions = copy

   is enabled in

   openssl.cnf

   . Sign the certificate: 
   

   
   openssl req -new -key ServerprivateKey.pem -out CSR.csr
   

   
   
5. Import CA signed certificate and key into server trust store:
   

   
   openssl pkcs12 -export -in CASignedCert.pem -inkey Serverprivate.key -name tec-w-003752 -out PKCS-12.p12
   keytool -importkeystore -srckeystore PKCS-12.p12 -destkeystore server.keystore.jks -srcstoretype pkcs12 -alias tec-w-003752
   

   
   
6. Import CA(root) certificate into server trust store:
   

   
   keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert

   
   

Additional Notes

How do I set up the CA signing environment?  

1. Create folders

   certs

   and

   newcerts.

2. Create an empty file called

   index.txt.

3. Create a file named

   serial

   and add

   01

   into it. You can run command

   echo 01 > serial

   to create this file. Ensure there are no quotes around

   01.

4. Modify [CA_default] in

   openss.cnf

   :
   

• certs

  = [certs folder path]

• database

  = [index.txt file path]

• new_certs_dir

  = [newcerts folder path]

• serial

  = [serial file path]

• certificate

  = [CA certificate file path]

• private_key

  = [CA private key file path]